Question : Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

In our SBS event viewer I noticed a large number of security failures for the above logon process and authentication package:
*****
Logon Failure:
       Reason:      Unknown user name or bad password
       User Name:      666
       Domain:       
       Logon Type:      3
       Logon Process:      Advapi
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      12592
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
*****

The Username changes each attempt.

I initially thought that this was spawning from my SERVER, but after diagnosing the event log, I am thinking that it is a workstation on the domain that is attempting to connect.

Can anyone confirm this for me and suggest a strategy on how to find the workstation in question?
We currently only have AV installed on all using CA eTrust, but could look at Pest Patrol which is a part of the suite.

Answer : Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

If you don't use RWW, OWA, or Outlook Anywhere, then you can block incoming HTTP traffic completely (port 80.)

For SMTP, unless you are using some form of SMTP relay, you have to let it in from all IP addresses so email can get delivered to you.

As long as you have a server on the internet, people will try to get into it. That is just a fact of life. Make sure you use strong passphrases (I like sentences, not just words) and are stringent in account lockout policies and most times you'll be fine. You just have to accept that these authentication warnings will show up. Part of being in the modern world.